---
title: AWS ECS Fargate
description: Use Terraform to deploy Tracecat into ECS Fargate.
icon: aws
---

<Warning>
  This stack is meant for production use. `TRACECAT__AUTH_TYPES=google_oauth,saml` is the default configuration.
  You'll need to configure [Google OAuth](/self-hosting/authentication/google-oauth) or [SAML SSO](/self-hosting/authentication/saml-sso) to login.
</Warning>

## Prerequisites

<Note>
The open source Terraform stack deploys Tracecat into AWS with a
public facing application load balancer (ALB) and public hosted zone.

Internal services (e.g. API, worker, databases) are segregrated via private security groups.
If your security model requires an internal facing ALB and private hosted zone,
please reach out to [founders@tracecat.com](mailto:founders@tracecat.com) for help!
</Note>


- [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
- `curl`, `openssl`, `docker` to create cryptographic keys used in the Tracecat app
- AWS credentials. View [AWS Provider docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) for details.
- A public Route53 hosted zone (save the hosted zone's domain name and ID)
- To create secrets in Secrets Manager, either:
  - AWS CLI. View [installation docs](https://aws.amazon.com/cli/).
  - Access to the AWS Management Console.

## Instructions

<Steps>
  <Step title="Download Terraform stack">
    Download Terraform modules from GitHub: https://github.com/TracecatHQ/terraform-fargate
  </Step>
  <Step title="Create encryption secrets for Tracecat">
    Tracecat relies on three symmetric encryption keys (`TRACECAT__DB_ENCRYPTION_KEY`, `TRACECAT__SERVICE_KEY`, `TRACECAT__SIGNING_SECRET`) to sign and encrypt secrets within the application.

    ![AWS Secrets Manager](/img/self-hosting/fargate-secrets-manager.png)

    The service key and signing secret are random 32-byte hexadecial strings generated by the `openssl` CLI tool.
    The database encryption key is created using the `cryptography` Python library, which is run in Docker.

    Download and execute the secrets creation bash script.
    ```bash
    curl -o create-aws-secrets.sh https://raw.githubusercontent.com/TracecatHQ/terraform-fargate/main/scripts/create-aws-secrets.sh
    chmod +x create-aws-secrets.sh && ./create-aws-secrets.sh
    ```
    View [`create-aws-secrets.sh` file on GitHub](https://github.com/TracecatHQ/terraform-fargate/blob/main/scripts/create-aws-secrets.sh) for details
    if you want to run this step manually.
  </Step>
  <Step title="Retrieve secret ARNs">
    Store the ARNs of the three created secrets in a secure place.
    You will need these ARNs to pass into the Terraform stack as variables.

    You can find the ARNs in the web console:
    ![AWS Secret ARNs](/img/self-hosting/fargate-secret-arn.png)
  </Step>
  <Step title="Configure Google OAuth or SAML SSO">
    The Terraform stack has two Google OAuth variables or four SAML SSO variables that need to be configured to setup Google OAuth or SAML SSO.
    The variables are:
    - `oauth_client_id_arn`
    - `oauth_client_secret_arn`
    - `saml_idp_metadata_url_arn`

    These variables are the ARNs of the AWS Secrets Manager secrets that contain the Google OAuth or SAML SSO configuration.
    Create the secrets in AWS Secrets Manager and take note of the ARNs.
  </Step>
  <Step title="Deploy stack">
    Initialize Terraform and deploy the stack by running the following commands:

    ```bash
    # Initialize Terraform directory
    terraform init

    # (Optional) Set Terraform variables via env vars
    export TF_VAR_domain_name=<your-hosted-zone-domain-name>
    export TF_VAR_hosted_zone_id=<your-hosted-zone-id>
    export TF_VAR_tracecat_db_encryption_key_arn=<secret-arn>
    export TF_VAR_tracecat_service_key_arn=<secret-arn>
    export TF_VAR_tracecat_signing_secret_arn=<secret-arn>

    # Either: Set Google OAuth variables
    export TF_VAR_oauth_client_id_arn=<secret-arn>
    export TF_VAR_oauth_client_secret_arn=<secret-arn>

    # Or: Set SAML SSO variables
    export TF_VAR_saml_idp_metadata_url_arn=<secret-arn>

    # Create Terraform stack
    terraform apply
    ```
    Wait for the Terraform stack to deploy.
    This can take up to 10 minutes as spinning up new RDS databases can be slow.

    <Tip>
      You can configure the Tracecat Fargate deployment via Terraform variables.
      View available configs in the [`variables.tf` file on GitHub](https://github.com/TracecatHQ/terraform-fargate/blob/main/variables.tf).
    </Tip>

  </Step>
  <Step title="Access Tracecat UI">
    Access the Tracecat UI via `https://<your-hosted-zone-domain-name>`.
    You can also view Tracecat's API docs via `https://<your-hosted-zone-domain-name>/api/docs`.
  </Step>
</Steps>

## Login

The first user that logs in via Google OAuth or SAML SSO will be created with default admin privileges.

## Next Steps

- Log into Tracecat and build your first playbook. [View quickstart](/quickstart).
- Read [`variables.tf`](https://github.com/TracecatHQ/terraform-fargate/blob/main/variables.tf) and [`ecs/locals.tf`](https://github.com/TracecatHQ/terraform-fargate/blob/main/modules/ecs/locals.tf) files to better understand Tracecat's configurations.
